Operation High Roller Adaptation Targeting German Banks

Operation High Roller, which was was first detailed by researchers in mid-2012, was assumed to be waning, but new reports indicate that cyber criminals are once again using automated client and server-side attacks to conduct fund transfers to mule accounts, and in at least one instance attempted a fraudulent transaction for a whopping €61,000, which would have been a pretty good payday for the malware designers.

McAfee and Guardian Analytics had previously discovered the banking Trojans known as Zeus and SpyEye had been adapted for use in automated attacks that can bypass multi-factor authentication systems to target high-value bank accounts. The assumption was that the technique was largely being abandoned after the exploits were publicly detailed by researchers, but evidence shows that the method is now being aimed accounts with access to the European SEPA payments network.

"SEPA is also very similar to the Automated Clearing House (ACH) network based in the United States and operates in a similar manner. In the case of the attacks we discovered, fraudsters initiate SEPA credit transfers via the ATS, which essentially sends a withdrawal request to the victim’s account to credit to a mule’s account," McAfee's Ryan Sherstobitoff writes.

The sophisticated nature of the attacks requires an in-depth knowledge of the networks targeted in order to develop the automated elements that are used to identify the high-value target accounts and penetrate systems used by credit unions, large financial institutions and regional banks for the electronic transfer of funds.

The operation hinges on the injection of a hidden iFRAME tag to take over a victim's account and automatically transfer funds without the attacker having to manually conduct the transaction using a different system, as was most often the case in instances where Zeus and SpyEye have been used to exfiltrate account credentials and pilfer an account.

Specially crafted malware that utilizes a JavaScript payload is designed to infect only about a dozen online banking customers with access to SEPA at two German banks, and the limited target base allows the malicious code to remain undetected for a longer period of time, as opposed to more wide spread infections which could tip off the institutions.

"Although many of the basic threat techniques haven’t changed much, new ways of targeting a financial institution’s online channel continue to grow. The fraudsters are looking for different angles to exploit: these can be anything from the processing times in ACH payments that allow them to get funds to mules quickly, to the lack of two-factor authentication associated with outgoing wires," Sherstobitoff explained. "In this case, the fraudsters have evolved from automated wire transactions to different types of payment channels."

With the newly identified modifications to the attack, the researchers believe that financial institutions should be preparing for a continued shift in tactics by the criminal syndicates behind the operation, and that the task of identifying the more targeted attacks may in the future become even more difficult.

"We don’t expect Operation High Roller activity to disappear anytime soon, so it’s important that we stay vigilant for these attacks," Sherstobitoff advised.

Share this post:

You May Also Be Interested In:

Anthony M. Freed is an information security journalist and editor who has authored numerous feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets, including The New York Times, Reuters, The Register, Financial Times of London, MSNBC, Fox News, PC/IT/Computer/Tech World, eWeek, SC Magazine, CSO Magazine, Federal News Radio, The Herald-Tribune, Naked Security, and many more. Anthony was the Managing Editor of Infosec Island, an online community designed for IT and network professionals who manage security, risk and compliance issues.